xref: /freebsd/sys/netpfil/ipfw/nat64/nat64_translate.c (revision 19261079b74319502c6ffa1249920079f0f69a72)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2015-2019 Yandex LLC
5  * Copyright (c) 2015-2019 Andrey V. Elsukov <ae@FreeBSD.org>
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31 
32 #include "opt_ipstealth.h"
33 
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/counter.h>
37 #include <sys/errno.h>
38 #include <sys/kernel.h>
39 #include <sys/lock.h>
40 #include <sys/mbuf.h>
41 #include <sys/module.h>
42 #include <sys/rmlock.h>
43 #include <sys/rwlock.h>
44 #include <sys/socket.h>
45 #include <sys/queue.h>
46 
47 #include <net/if.h>
48 #include <net/if_var.h>
49 #include <net/if_pflog.h>
50 #include <net/pfil.h>
51 #include <net/netisr.h>
52 #include <net/route.h>
53 #include <net/route/nhop.h>
54 
55 #include <netinet/in.h>
56 #include <netinet/in_fib.h>
57 #include <netinet/in_var.h>
58 #include <netinet/ip.h>
59 #include <netinet/ip_var.h>
60 #include <netinet/ip_fw.h>
61 #include <netinet/ip6.h>
62 #include <netinet/icmp6.h>
63 #include <netinet/ip_icmp.h>
64 #include <netinet/tcp.h>
65 #include <netinet/udp.h>
66 #include <netinet6/in6_var.h>
67 #include <netinet6/in6_fib.h>
68 #include <netinet6/ip6_var.h>
69 #include <netinet6/ip_fw_nat64.h>
70 
71 #include <netpfil/pf/pf.h>
72 #include <netpfil/ipfw/ip_fw_private.h>
73 #include <machine/in_cksum.h>
74 
75 #include "ip_fw_nat64.h"
76 #include "nat64_translate.h"
77 
78 typedef int (*nat64_output_t)(struct ifnet *, struct mbuf *,
79     struct sockaddr *, struct nat64_counters *, void *);
80 typedef int (*nat64_output_one_t)(struct mbuf *, struct nat64_counters *,
81     void *);
82 
83 static struct nhop_object *nat64_find_route4(struct sockaddr_in *,
84     struct mbuf *);
85 static struct nhop_object *nat64_find_route6(struct sockaddr_in6 *,
86     struct mbuf *);
87 static int nat64_output_one(struct mbuf *, struct nat64_counters *, void *);
88 static int nat64_output(struct ifnet *, struct mbuf *, struct sockaddr *,
89     struct nat64_counters *, void *);
90 static int nat64_direct_output_one(struct mbuf *, struct nat64_counters *,
91     void *);
92 static int nat64_direct_output(struct ifnet *, struct mbuf *,
93     struct sockaddr *, struct nat64_counters *, void *);
94 
95 struct nat64_methods {
96 	nat64_output_t		output;
97 	nat64_output_one_t	output_one;
98 };
99 static const struct nat64_methods nat64_netisr = {
100 	.output = nat64_output,
101 	.output_one = nat64_output_one
102 };
103 static const struct nat64_methods nat64_direct = {
104 	.output = nat64_direct_output,
105 	.output_one = nat64_direct_output_one
106 };
107 
108 /* These variables should be initialized explicitly on module loading */
109 VNET_DEFINE_STATIC(const struct nat64_methods *, nat64out);
110 VNET_DEFINE_STATIC(const int *, nat64ipstealth);
111 VNET_DEFINE_STATIC(const int *, nat64ip6stealth);
112 #define	V_nat64out		VNET(nat64out)
113 #define	V_nat64ipstealth	VNET(nat64ipstealth)
114 #define	V_nat64ip6stealth	VNET(nat64ip6stealth)
115 
116 static const int stealth_on = 1;
117 #ifndef IPSTEALTH
118 static const int stealth_off = 0;
119 #endif
120 
121 void
122 nat64_set_output_method(int direct)
123 {
124 
125 	if (direct != 0) {
126 		V_nat64out = &nat64_direct;
127 #ifdef IPSTEALTH
128 		/* Honor corresponding variables, if IPSTEALTH is defined */
129 		V_nat64ipstealth = &V_ipstealth;
130 		V_nat64ip6stealth = &V_ip6stealth;
131 #else
132 		/* otherwise we need to decrement HLIM/TTL for direct case */
133 		V_nat64ipstealth = V_nat64ip6stealth = &stealth_off;
134 #endif
135 	} else {
136 		V_nat64out = &nat64_netisr;
137 		/* Leave TTL/HLIM decrementing to forwarding code */
138 		V_nat64ipstealth = V_nat64ip6stealth = &stealth_on;
139 	}
140 }
141 
142 int
143 nat64_get_output_method(void)
144 {
145 
146 	return (V_nat64out == &nat64_direct ? 1: 0);
147 }
148 
149 static void
150 nat64_log(struct pfloghdr *logdata, struct mbuf *m, sa_family_t family)
151 {
152 
153 	logdata->dir = PF_OUT;
154 	logdata->af = family;
155 	ipfw_bpf_mtap2(logdata, PFLOG_HDRLEN, m);
156 }
157 
158 static int
159 nat64_direct_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
160     struct nat64_counters *stats, void *logdata)
161 {
162 	int error;
163 
164 	if (logdata != NULL)
165 		nat64_log(logdata, m, dst->sa_family);
166 	error = (*ifp->if_output)(ifp, m, dst, NULL);
167 	if (error != 0)
168 		NAT64STAT_INC(stats, oerrors);
169 	return (error);
170 }
171 
172 static int
173 nat64_direct_output_one(struct mbuf *m, struct nat64_counters *stats,
174     void *logdata)
175 {
176 	struct nhop_object *nh4 = NULL;
177 	struct nhop_object *nh6 = NULL;
178 	struct sockaddr_in6 dst6;
179 	struct sockaddr_in dst4;
180 	struct sockaddr *dst;
181 	struct ip6_hdr *ip6;
182 	struct ip *ip4;
183 	struct ifnet *ifp;
184 	int error;
185 
186 	ip4 = mtod(m, struct ip *);
187 	error = 0;
188 	switch (ip4->ip_v) {
189 	case IPVERSION:
190 		dst4.sin_addr = ip4->ip_dst;
191 		nh4 = nat64_find_route4(&dst4, m);
192 		if (nh4 == NULL) {
193 			NAT64STAT_INC(stats, noroute4);
194 			error = EHOSTUNREACH;
195 		} else {
196 			ifp = nh4->nh_ifp;
197 			dst = (struct sockaddr *)&dst4;
198 		}
199 		break;
200 	case (IPV6_VERSION >> 4):
201 		ip6 = mtod(m, struct ip6_hdr *);
202 		dst6.sin6_addr = ip6->ip6_dst;
203 		nh6 = nat64_find_route6(&dst6, m);
204 		if (nh6 == NULL) {
205 			NAT64STAT_INC(stats, noroute6);
206 			error = EHOSTUNREACH;
207 		} else {
208 			ifp = nh6->nh_ifp;
209 			dst = (struct sockaddr *)&dst6;
210 		}
211 		break;
212 	default:
213 		m_freem(m);
214 		NAT64STAT_INC(stats, dropped);
215 		DPRINTF(DP_DROPS, "dropped due to unknown IP version");
216 		return (EAFNOSUPPORT);
217 	}
218 	if (error != 0) {
219 		m_freem(m);
220 		return (EHOSTUNREACH);
221 	}
222 	if (logdata != NULL)
223 		nat64_log(logdata, m, dst->sa_family);
224 	error = (*ifp->if_output)(ifp, m, dst, NULL);
225 	if (error != 0)
226 		NAT64STAT_INC(stats, oerrors);
227 	return (error);
228 }
229 
230 static int
231 nat64_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
232     struct nat64_counters *stats, void *logdata)
233 {
234 	struct ip *ip4;
235 	int ret, af;
236 
237 	ip4 = mtod(m, struct ip *);
238 	switch (ip4->ip_v) {
239 	case IPVERSION:
240 		af = AF_INET;
241 		ret = NETISR_IP;
242 		break;
243 	case (IPV6_VERSION >> 4):
244 		af = AF_INET6;
245 		ret = NETISR_IPV6;
246 		break;
247 	default:
248 		m_freem(m);
249 		NAT64STAT_INC(stats, dropped);
250 		DPRINTF(DP_DROPS, "unknown IP version");
251 		return (EAFNOSUPPORT);
252 	}
253 	if (logdata != NULL)
254 		nat64_log(logdata, m, af);
255 	if (m->m_pkthdr.rcvif == NULL)
256 		m->m_pkthdr.rcvif = V_loif;
257 	ret = netisr_queue(ret, m);
258 	if (ret != 0)
259 		NAT64STAT_INC(stats, oerrors);
260 	return (ret);
261 }
262 
263 static int
264 nat64_output_one(struct mbuf *m, struct nat64_counters *stats, void *logdata)
265 {
266 
267 	return (nat64_output(NULL, m, NULL, stats, logdata));
268 }
269 
270 /*
271  * Check the given IPv6 prefix and length according to RFC6052:
272  *   The prefixes can only have one of the following lengths:
273  *   32, 40, 48, 56, 64, or 96 (The Well-Known Prefix is 96 bits long).
274  * Returns zero on success, otherwise EINVAL.
275  */
276 int
277 nat64_check_prefixlen(int length)
278 {
279 
280 	switch (length) {
281 	case 32:
282 	case 40:
283 	case 48:
284 	case 56:
285 	case 64:
286 	case 96:
287 		return (0);
288 	}
289 	return (EINVAL);
290 }
291 
292 int
293 nat64_check_prefix6(const struct in6_addr *prefix, int length)
294 {
295 
296 	if (nat64_check_prefixlen(length) != 0)
297 		return (EINVAL);
298 
299 	/* Well-known prefix has 96 prefix length */
300 	if (IN6_IS_ADDR_WKPFX(prefix) && length != 96)
301 		return (EINVAL);
302 
303 	/* Bits 64 to 71 must be set to zero */
304 	if (prefix->__u6_addr.__u6_addr8[8] != 0)
305 		return (EINVAL);
306 
307 	/* Some extra checks */
308 	if (IN6_IS_ADDR_MULTICAST(prefix) ||
309 	    IN6_IS_ADDR_UNSPECIFIED(prefix) ||
310 	    IN6_IS_ADDR_LOOPBACK(prefix))
311 		return (EINVAL);
312 	return (0);
313 }
314 
315 int
316 nat64_check_private_ip4(const struct nat64_config *cfg, in_addr_t ia)
317 {
318 
319 	if (cfg->flags & NAT64_ALLOW_PRIVATE)
320 		return (0);
321 
322 	/* WKPFX must not be used to represent non-global IPv4 addresses */
323 	if (cfg->flags & NAT64_WKPFX) {
324 		/* IN_PRIVATE */
325 		if ((ia & htonl(0xff000000)) == htonl(0x0a000000) ||
326 		    (ia & htonl(0xfff00000)) == htonl(0xac100000) ||
327 		    (ia & htonl(0xffff0000)) == htonl(0xc0a80000))
328 			return (1);
329 		/*
330 		 * RFC 5735:
331 		 *  192.0.0.0/24 - reserved for IETF protocol assignments
332 		 *  192.88.99.0/24 - for use as 6to4 relay anycast addresses
333 		 *  198.18.0.0/15 - for use in benchmark tests
334 		 *  192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 - for use
335 		 *   in documentation and example code
336 		 */
337 		if ((ia & htonl(0xffffff00)) == htonl(0xc0000000) ||
338 		    (ia & htonl(0xffffff00)) == htonl(0xc0586300) ||
339 		    (ia & htonl(0xfffffe00)) == htonl(0xc6120000) ||
340 		    (ia & htonl(0xffffff00)) == htonl(0xc0000200) ||
341 		    (ia & htonl(0xfffffe00)) == htonl(0xc6336400) ||
342 		    (ia & htonl(0xffffff00)) == htonl(0xcb007100))
343 			return (1);
344 	}
345 	return (0);
346 }
347 
348 /*
349  * Embed @ia IPv4 address into @ip6 IPv6 address.
350  * Place to embedding determined from prefix length @plen.
351  */
352 void
353 nat64_embed_ip4(struct in6_addr *ip6, int plen, in_addr_t ia)
354 {
355 
356 	switch (plen) {
357 	case 32:
358 	case 96:
359 		ip6->s6_addr32[plen / 32] = ia;
360 		break;
361 	case 40:
362 	case 48:
363 	case 56:
364 		/*
365 		 * Preserve prefix bits.
366 		 * Since suffix bits should be zero and reserved for future
367 		 * use, we just overwrite the whole word, where they are.
368 		 */
369 		ip6->s6_addr32[1] &= 0xffffffff << (32 - plen % 32);
370 #if BYTE_ORDER == BIG_ENDIAN
371 		ip6->s6_addr32[1] |= ia >> (plen % 32);
372 		ip6->s6_addr32[2] = ia << (24 - plen % 32);
373 #elif BYTE_ORDER == LITTLE_ENDIAN
374 		ip6->s6_addr32[1] |= ia << (plen % 32);
375 		ip6->s6_addr32[2] = ia >> (24 - plen % 32);
376 #endif
377 		break;
378 	case 64:
379 #if BYTE_ORDER == BIG_ENDIAN
380 		ip6->s6_addr32[2] = ia >> 8;
381 		ip6->s6_addr32[3] = ia << 24;
382 #elif BYTE_ORDER == LITTLE_ENDIAN
383 		ip6->s6_addr32[2] = ia << 8;
384 		ip6->s6_addr32[3] = ia >> 24;
385 #endif
386 		break;
387 	default:
388 		panic("Wrong plen: %d", plen);
389 	};
390 	/*
391 	 * Bits 64 to 71 of the address are reserved for compatibility
392 	 * with the host identifier format defined in the IPv6 addressing
393 	 * architecture [RFC4291]. These bits MUST be set to zero.
394 	 */
395 	ip6->s6_addr8[8] = 0;
396 }
397 
398 in_addr_t
399 nat64_extract_ip4(const struct in6_addr *ip6, int plen)
400 {
401 	in_addr_t ia;
402 
403 	/*
404 	 * According to RFC 6052 p2.2:
405 	 * IPv4-embedded IPv6 addresses are composed of a variable-length
406 	 * prefix, the embedded IPv4 address, and a variable length suffix.
407 	 * The suffix bits are reserved for future extensions and SHOULD
408 	 * be set to zero.
409 	 */
410 	switch (plen) {
411 	case 32:
412 		if (ip6->s6_addr32[3] != 0 || ip6->s6_addr32[2] != 0)
413 			goto badip6;
414 		break;
415 	case 40:
416 		if (ip6->s6_addr32[3] != 0 ||
417 		    (ip6->s6_addr32[2] & htonl(0xff00ffff)) != 0)
418 			goto badip6;
419 		break;
420 	case 48:
421 		if (ip6->s6_addr32[3] != 0 ||
422 		    (ip6->s6_addr32[2] & htonl(0xff0000ff)) != 0)
423 			goto badip6;
424 		break;
425 	case 56:
426 		if (ip6->s6_addr32[3] != 0 || ip6->s6_addr8[8] != 0)
427 			goto badip6;
428 		break;
429 	case 64:
430 		if (ip6->s6_addr8[8] != 0 ||
431 		    (ip6->s6_addr32[3] & htonl(0x00ffffff)) != 0)
432 			goto badip6;
433 	};
434 	switch (plen) {
435 	case 32:
436 	case 96:
437 		ia = ip6->s6_addr32[plen / 32];
438 		break;
439 	case 40:
440 	case 48:
441 	case 56:
442 #if BYTE_ORDER == BIG_ENDIAN
443 		ia = (ip6->s6_addr32[1] << (plen % 32)) |
444 		    (ip6->s6_addr32[2] >> (24 - plen % 32));
445 #elif BYTE_ORDER == LITTLE_ENDIAN
446 		ia = (ip6->s6_addr32[1] >> (plen % 32)) |
447 		    (ip6->s6_addr32[2] << (24 - plen % 32));
448 #endif
449 		break;
450 	case 64:
451 #if BYTE_ORDER == BIG_ENDIAN
452 		ia = (ip6->s6_addr32[2] << 8) | (ip6->s6_addr32[3] >> 24);
453 #elif BYTE_ORDER == LITTLE_ENDIAN
454 		ia = (ip6->s6_addr32[2] >> 8) | (ip6->s6_addr32[3] << 24);
455 #endif
456 		break;
457 	default:
458 		return (0);
459 	};
460 	if (nat64_check_ip4(ia) == 0)
461 		return (ia);
462 
463 	DPRINTF(DP_GENERIC | DP_DROPS,
464 	    "invalid destination address: %08x", ia);
465 	return (0);
466 badip6:
467 	DPRINTF(DP_GENERIC | DP_DROPS, "invalid IPv4-embedded IPv6 address");
468 	return (0);
469 }
470 
471 /*
472  * According to RFC 1624 the equation for incremental checksum update is:
473  *	HC' = ~(~HC + ~m + m')	--	[Eqn. 3]
474  *	HC' = HC - ~m - m'	--	[Eqn. 4]
475  * So, when we are replacing IPv4 addresses to IPv6, we
476  * can assume, that new bytes previously were zeros, and vise versa -
477  * when we replacing IPv6 addresses to IPv4, now unused bytes become
478  * zeros. The payload length in pseudo header has bigger size, but one
479  * half of it should be zero. Using the equation 4 we get:
480  *	HC' = HC - (~m0 + m0')	-- m0 is first changed word
481  *	HC' = (HC - (~m0 + m0')) - (~m1 + m1')	-- m1 is second changed word
482  *	HC' = HC - ~m0 - m0' - ~m1 - m1' - ... =
483  *	  = HC - sum(~m[i] + m'[i])
484  *
485  * The function result should be used as follows:
486  *	IPv6 to IPv4:	HC' = cksum_add(HC, result)
487  *	IPv4 to IPv6:	HC' = cksum_add(HC, ~result)
488  */
489 static uint16_t
490 nat64_cksum_convert(struct ip6_hdr *ip6, struct ip *ip)
491 {
492 	uint32_t sum;
493 	uint16_t *p;
494 
495 	sum = ~ip->ip_src.s_addr >> 16;
496 	sum += ~ip->ip_src.s_addr & 0xffff;
497 	sum += ~ip->ip_dst.s_addr >> 16;
498 	sum += ~ip->ip_dst.s_addr & 0xffff;
499 
500 	for (p = (uint16_t *)&ip6->ip6_src;
501 	    p < (uint16_t *)(&ip6->ip6_src + 2); p++)
502 		sum += *p;
503 
504 	while (sum >> 16)
505 		sum = (sum & 0xffff) + (sum >> 16);
506 	return (sum);
507 }
508 
509 static void
510 nat64_init_ip4hdr(const struct ip6_hdr *ip6, const struct ip6_frag *frag,
511     uint16_t plen, uint8_t proto, struct ip *ip)
512 {
513 
514 	/* assume addresses are already initialized */
515 	ip->ip_v = IPVERSION;
516 	ip->ip_hl = sizeof(*ip) >> 2;
517 	ip->ip_tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
518 	ip->ip_len = htons(sizeof(*ip) + plen);
519 	ip->ip_ttl = ip6->ip6_hlim;
520 	if (*V_nat64ip6stealth == 0)
521 		ip->ip_ttl -= IPV6_HLIMDEC;
522 	ip->ip_sum = 0;
523 	ip->ip_p = (proto == IPPROTO_ICMPV6) ? IPPROTO_ICMP: proto;
524 	ip_fillid(ip);
525 	if (frag != NULL) {
526 		ip->ip_off = htons(ntohs(frag->ip6f_offlg) >> 3);
527 		if (frag->ip6f_offlg & IP6F_MORE_FRAG)
528 			ip->ip_off |= htons(IP_MF);
529 	} else {
530 		ip->ip_off = htons(IP_DF);
531 	}
532 	ip->ip_sum = in_cksum_hdr(ip);
533 }
534 
535 #define	FRAGSZ(mtu) ((mtu) - sizeof(struct ip6_hdr) - sizeof(struct ip6_frag))
536 static NAT64NOINLINE int
537 nat64_fragment6(struct nat64_counters *stats, struct ip6_hdr *ip6,
538     struct mbufq *mq, struct mbuf *m, uint32_t mtu, uint16_t ip_id,
539     uint16_t ip_off)
540 {
541 	struct ip6_frag ip6f;
542 	struct mbuf *n;
543 	uint16_t hlen, len, offset;
544 	int plen;
545 
546 	plen = ntohs(ip6->ip6_plen);
547 	hlen = sizeof(struct ip6_hdr);
548 
549 	/* Fragmentation isn't needed */
550 	if (ip_off == 0 && plen <= mtu - hlen) {
551 		M_PREPEND(m, hlen, M_NOWAIT);
552 		if (m == NULL) {
553 			NAT64STAT_INC(stats, nomem);
554 			return (ENOMEM);
555 		}
556 		bcopy(ip6, mtod(m, void *), hlen);
557 		if (mbufq_enqueue(mq, m) != 0) {
558 			m_freem(m);
559 			NAT64STAT_INC(stats, dropped);
560 			DPRINTF(DP_DROPS, "dropped due to mbufq overflow");
561 			return (ENOBUFS);
562 		}
563 		return (0);
564 	}
565 
566 	hlen += sizeof(struct ip6_frag);
567 	ip6f.ip6f_reserved = 0;
568 	ip6f.ip6f_nxt = ip6->ip6_nxt;
569 	ip6->ip6_nxt = IPPROTO_FRAGMENT;
570 	if (ip_off != 0) {
571 		/*
572 		 * We have got an IPv4 fragment.
573 		 * Use offset value and ip_id from original fragment.
574 		 */
575 		ip6f.ip6f_ident = htonl(ntohs(ip_id));
576 		offset = (ntohs(ip_off) & IP_OFFMASK) << 3;
577 		NAT64STAT_INC(stats, ifrags);
578 	} else {
579 		/* The packet size exceeds interface MTU */
580 		ip6f.ip6f_ident = htonl(ip6_randomid());
581 		offset = 0; /* First fragment*/
582 	}
583 	while (plen > 0 && m != NULL) {
584 		n = NULL;
585 		len = FRAGSZ(mtu) & ~7;
586 		if (len > plen)
587 			len = plen;
588 		ip6->ip6_plen = htons(len + sizeof(ip6f));
589 		ip6f.ip6f_offlg = ntohs(offset);
590 		if (len < plen || (ip_off & htons(IP_MF)) != 0)
591 			ip6f.ip6f_offlg |= IP6F_MORE_FRAG;
592 		offset += len;
593 		plen -= len;
594 		if (plen > 0) {
595 			n = m_split(m, len, M_NOWAIT);
596 			if (n == NULL)
597 				goto fail;
598 		}
599 		M_PREPEND(m, hlen, M_NOWAIT);
600 		if (m == NULL)
601 			goto fail;
602 		bcopy(ip6, mtod(m, void *), sizeof(struct ip6_hdr));
603 		bcopy(&ip6f, mtodo(m, sizeof(struct ip6_hdr)),
604 		    sizeof(struct ip6_frag));
605 		if (mbufq_enqueue(mq, m) != 0)
606 			goto fail;
607 		m = n;
608 	}
609 	NAT64STAT_ADD(stats, ofrags, mbufq_len(mq));
610 	return (0);
611 fail:
612 	if (m != NULL)
613 		m_freem(m);
614 	if (n != NULL)
615 		m_freem(n);
616 	mbufq_drain(mq);
617 	NAT64STAT_INC(stats, nomem);
618 	return (ENOMEM);
619 }
620 
621 static struct nhop_object *
622 nat64_find_route6(struct sockaddr_in6 *dst, struct mbuf *m)
623 {
624 	struct nhop_object *nh;
625 
626 	NET_EPOCH_ASSERT();
627 	nh = fib6_lookup(M_GETFIB(m), &dst->sin6_addr, 0, NHR_NONE, 0);
628 	if (nh == NULL)
629 		return (NULL);
630 	if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT))
631 		return (NULL);
632 
633 	dst->sin6_family = AF_INET6;
634 	dst->sin6_len = sizeof(*dst);
635 	if (nh->nh_flags & NHF_GATEWAY)
636 		dst->sin6_addr = nh->gw6_sa.sin6_addr;
637 	dst->sin6_port = 0;
638 	dst->sin6_scope_id = 0;
639 	dst->sin6_flowinfo = 0;
640 	return (nh);
641 }
642 
643 #define	NAT64_ICMP6_PLEN	64
644 static NAT64NOINLINE void
645 nat64_icmp6_reflect(struct mbuf *m, uint8_t type, uint8_t code, uint32_t mtu,
646     struct nat64_counters *stats, void *logdata)
647 {
648 	struct icmp6_hdr *icmp6;
649 	struct ip6_hdr *ip6, *oip6;
650 	struct mbuf *n;
651 	int len, plen, proto;
652 
653 	len = 0;
654 	proto = nat64_getlasthdr(m, &len);
655 	if (proto < 0) {
656 		DPRINTF(DP_DROPS, "mbuf isn't contigious");
657 		goto freeit;
658 	}
659 	/*
660 	 * Do not send ICMPv6 in reply to ICMPv6 errors.
661 	 */
662 	if (proto == IPPROTO_ICMPV6) {
663 		if (m->m_len < len + sizeof(*icmp6)) {
664 			DPRINTF(DP_DROPS, "mbuf isn't contigious");
665 			goto freeit;
666 		}
667 		icmp6 = mtodo(m, len);
668 		if (icmp6->icmp6_type < ICMP6_ECHO_REQUEST ||
669 		    icmp6->icmp6_type == ND_REDIRECT) {
670 			DPRINTF(DP_DROPS, "do not send ICMPv6 in reply to "
671 			    "ICMPv6 errors");
672 			goto freeit;
673 		}
674 		/*
675 		 * If there are extra headers between IPv6 and ICMPv6,
676 		 * strip off them.
677 		 */
678 		if (len > sizeof(struct ip6_hdr)) {
679 			/*
680 			 * NOTE: ipfw_chk already did m_pullup() and it is
681 			 * expected that data is contigious from the start
682 			 * of IPv6 header up to the end of ICMPv6 header.
683 			 */
684 			bcopy(mtod(m, caddr_t),
685 			    mtodo(m, len - sizeof(struct ip6_hdr)),
686 			    sizeof(struct ip6_hdr));
687 			m_adj(m, len - sizeof(struct ip6_hdr));
688 		}
689 	}
690 	/*
691 	if (icmp6_ratelimit(&ip6->ip6_src, type, code))
692 		goto freeit;
693 		*/
694 	ip6 = mtod(m, struct ip6_hdr *);
695 	switch (type) {
696 	case ICMP6_DST_UNREACH:
697 	case ICMP6_PACKET_TOO_BIG:
698 	case ICMP6_TIME_EXCEEDED:
699 	case ICMP6_PARAM_PROB:
700 		break;
701 	default:
702 		goto freeit;
703 	}
704 	/* Calculate length of ICMPv6 payload */
705 	len = (m->m_pkthdr.len > NAT64_ICMP6_PLEN) ? NAT64_ICMP6_PLEN:
706 	    m->m_pkthdr.len;
707 
708 	/* Create new ICMPv6 datagram */
709 	plen = len + sizeof(struct icmp6_hdr);
710 	n = m_get2(sizeof(struct ip6_hdr) + plen + max_hdr, M_NOWAIT,
711 	    MT_HEADER, M_PKTHDR);
712 	if (n == NULL) {
713 		NAT64STAT_INC(stats, nomem);
714 		m_freem(m);
715 		return;
716 	}
717 	/*
718 	 * Move pkthdr from original mbuf. We should have initialized some
719 	 * fields, because we can reinject this mbuf to netisr and it will
720 	 * go through input path (it requires at least rcvif should be set).
721 	 * Also do M_ALIGN() to reduce chances of need to allocate new mbuf
722 	 * in the chain, when we will do M_PREPEND() or make some type of
723 	 * tunneling.
724 	 */
725 	m_move_pkthdr(n, m);
726 	M_ALIGN(n, sizeof(struct ip6_hdr) + plen + max_hdr);
727 
728 	n->m_len = n->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
729 	oip6 = mtod(n, struct ip6_hdr *);
730 	/*
731 	 * Make IPv6 source address selection for reflected datagram.
732 	 * nat64_check_ip6() doesn't allow scoped addresses, therefore
733 	 * we use zero scopeid.
734 	 */
735 	if (in6_selectsrc_addr(M_GETFIB(n), &ip6->ip6_src, 0,
736 	    n->m_pkthdr.rcvif, &oip6->ip6_src, NULL) != 0) {
737 		/*
738 		 * Failed to find proper source address, drop the packet.
739 		 */
740 		m_freem(n);
741 		goto freeit;
742 	}
743 	oip6->ip6_dst = ip6->ip6_src;
744 	oip6->ip6_nxt = IPPROTO_ICMPV6;
745 	oip6->ip6_flow = 0;
746 	oip6->ip6_vfc |= IPV6_VERSION;
747 	oip6->ip6_hlim = V_ip6_defhlim;
748 	oip6->ip6_plen = htons(plen);
749 
750 	icmp6 = mtodo(n, sizeof(struct ip6_hdr));
751 	icmp6->icmp6_cksum = 0;
752 	icmp6->icmp6_type = type;
753 	icmp6->icmp6_code = code;
754 	icmp6->icmp6_mtu = htonl(mtu);
755 
756 	m_copydata(m, 0, len, mtodo(n, sizeof(struct ip6_hdr) +
757 	    sizeof(struct icmp6_hdr)));
758 	icmp6->icmp6_cksum = in6_cksum(n, IPPROTO_ICMPV6,
759 	    sizeof(struct ip6_hdr), plen);
760 	m_freem(m);
761 	V_nat64out->output_one(n, stats, logdata);
762 	return;
763 freeit:
764 	NAT64STAT_INC(stats, dropped);
765 	m_freem(m);
766 }
767 
768 static struct nhop_object *
769 nat64_find_route4(struct sockaddr_in *dst, struct mbuf *m)
770 {
771 	struct nhop_object *nh;
772 
773 	NET_EPOCH_ASSERT();
774 	nh = fib4_lookup(M_GETFIB(m), dst->sin_addr, 0, NHR_NONE, 0);
775 	if (nh == NULL)
776 		return (NULL);
777 	if (nh->nh_flags & (NHF_BLACKHOLE | NHF_BROADCAST | NHF_REJECT))
778 		return (NULL);
779 
780 	dst->sin_family = AF_INET;
781 	dst->sin_len = sizeof(*dst);
782 	if (nh->nh_flags & NHF_GATEWAY)
783 		dst->sin_addr = nh->gw4_sa.sin_addr;
784 	dst->sin_port = 0;
785 	return (nh);
786 }
787 
788 #define	NAT64_ICMP_PLEN	64
789 static NAT64NOINLINE void
790 nat64_icmp_reflect(struct mbuf *m, uint8_t type,
791     uint8_t code, uint16_t mtu, struct nat64_counters *stats, void *logdata)
792 {
793 	struct icmp *icmp;
794 	struct ip *ip, *oip;
795 	struct mbuf *n;
796 	int len, plen;
797 
798 	ip = mtod(m, struct ip *);
799 	/* Do not send ICMP error if packet is not the first fragment */
800 	if (ip->ip_off & ~ntohs(IP_MF|IP_DF)) {
801 		DPRINTF(DP_DROPS, "not first fragment");
802 		goto freeit;
803 	}
804 	/* Do not send ICMP in reply to ICMP errors */
805 	if (ip->ip_p == IPPROTO_ICMP) {
806 		if (m->m_len < (ip->ip_hl << 2)) {
807 			DPRINTF(DP_DROPS, "mbuf isn't contigious");
808 			goto freeit;
809 		}
810 		icmp = mtodo(m, ip->ip_hl << 2);
811 		if (!ICMP_INFOTYPE(icmp->icmp_type)) {
812 			DPRINTF(DP_DROPS, "do not send ICMP in reply to "
813 			    "ICMP errors");
814 			goto freeit;
815 		}
816 	}
817 	switch (type) {
818 	case ICMP_UNREACH:
819 	case ICMP_TIMXCEED:
820 	case ICMP_PARAMPROB:
821 		break;
822 	default:
823 		goto freeit;
824 	}
825 	/* Calculate length of ICMP payload */
826 	len = (m->m_pkthdr.len > NAT64_ICMP_PLEN) ? (ip->ip_hl << 2) + 8:
827 	    m->m_pkthdr.len;
828 
829 	/* Create new ICMPv4 datagram */
830 	plen = len + sizeof(struct icmphdr) + sizeof(uint32_t);
831 	n = m_get2(sizeof(struct ip) + plen + max_hdr, M_NOWAIT,
832 	    MT_HEADER, M_PKTHDR);
833 	if (n == NULL) {
834 		NAT64STAT_INC(stats, nomem);
835 		m_freem(m);
836 		return;
837 	}
838 	m_move_pkthdr(n, m);
839 	M_ALIGN(n, sizeof(struct ip) + plen + max_hdr);
840 
841 	n->m_len = n->m_pkthdr.len = sizeof(struct ip) + plen;
842 	oip = mtod(n, struct ip *);
843 	oip->ip_v = IPVERSION;
844 	oip->ip_hl = sizeof(struct ip) >> 2;
845 	oip->ip_tos = 0;
846 	oip->ip_len = htons(n->m_pkthdr.len);
847 	oip->ip_ttl = V_ip_defttl;
848 	oip->ip_p = IPPROTO_ICMP;
849 	ip_fillid(oip);
850 	oip->ip_off = htons(IP_DF);
851 	oip->ip_src = ip->ip_dst;
852 	oip->ip_dst = ip->ip_src;
853 	oip->ip_sum = 0;
854 	oip->ip_sum = in_cksum_hdr(oip);
855 
856 	icmp = mtodo(n, sizeof(struct ip));
857 	icmp->icmp_type = type;
858 	icmp->icmp_code = code;
859 	icmp->icmp_cksum = 0;
860 	icmp->icmp_pmvoid = 0;
861 	icmp->icmp_nextmtu = htons(mtu);
862 	m_copydata(m, 0, len, mtodo(n, sizeof(struct ip) +
863 	    sizeof(struct icmphdr) + sizeof(uint32_t)));
864 	icmp->icmp_cksum = in_cksum_skip(n, sizeof(struct ip) + plen,
865 	    sizeof(struct ip));
866 	m_freem(m);
867 	V_nat64out->output_one(n, stats, logdata);
868 	return;
869 freeit:
870 	NAT64STAT_INC(stats, dropped);
871 	m_freem(m);
872 }
873 
874 /* Translate ICMP echo request/reply into ICMPv6 */
875 static void
876 nat64_icmp_handle_echo(struct ip6_hdr *ip6, struct icmp6_hdr *icmp6,
877     uint16_t id, uint8_t type)
878 {
879 	uint16_t old;
880 
881 	old = *(uint16_t *)icmp6;	/* save type+code in one word */
882 	icmp6->icmp6_type = type;
883 	/* Reflect ICMPv6 -> ICMPv4 type translation in the cksum */
884 	icmp6->icmp6_cksum = cksum_adjust(icmp6->icmp6_cksum,
885 	    old, *(uint16_t *)icmp6);
886 	if (id != 0) {
887 		old = icmp6->icmp6_id;
888 		icmp6->icmp6_id = id;
889 		/* Reflect ICMP id translation in the cksum */
890 		icmp6->icmp6_cksum = cksum_adjust(icmp6->icmp6_cksum,
891 		    old, id);
892 	}
893 	/* Reflect IPv6 pseudo header in the cksum */
894 	icmp6->icmp6_cksum = ~in6_cksum_pseudo(ip6, ntohs(ip6->ip6_plen),
895 	    IPPROTO_ICMPV6, ~icmp6->icmp6_cksum);
896 }
897 
898 static NAT64NOINLINE struct mbuf *
899 nat64_icmp_translate(struct mbuf *m, struct ip6_hdr *ip6, uint16_t icmpid,
900     int offset, struct nat64_config *cfg)
901 {
902 	struct ip ip;
903 	struct icmp *icmp;
904 	struct tcphdr *tcp;
905 	struct udphdr *udp;
906 	struct ip6_hdr *eip6;
907 	struct mbuf *n;
908 	uint32_t mtu;
909 	int len, hlen, plen;
910 	uint8_t type, code;
911 
912 	if (m->m_len < offset + ICMP_MINLEN)
913 		m = m_pullup(m, offset + ICMP_MINLEN);
914 	if (m == NULL) {
915 		NAT64STAT_INC(&cfg->stats, nomem);
916 		return (m);
917 	}
918 	mtu = 0;
919 	icmp = mtodo(m, offset);
920 	/* RFC 7915 p4.2 */
921 	switch (icmp->icmp_type) {
922 	case ICMP_ECHOREPLY:
923 		type = ICMP6_ECHO_REPLY;
924 		code = 0;
925 		break;
926 	case ICMP_UNREACH:
927 		type = ICMP6_DST_UNREACH;
928 		switch (icmp->icmp_code) {
929 		case ICMP_UNREACH_NET:
930 		case ICMP_UNREACH_HOST:
931 		case ICMP_UNREACH_SRCFAIL:
932 		case ICMP_UNREACH_NET_UNKNOWN:
933 		case ICMP_UNREACH_HOST_UNKNOWN:
934 		case ICMP_UNREACH_TOSNET:
935 		case ICMP_UNREACH_TOSHOST:
936 			code = ICMP6_DST_UNREACH_NOROUTE;
937 			break;
938 		case ICMP_UNREACH_PROTOCOL:
939 			type = ICMP6_PARAM_PROB;
940 			code = ICMP6_PARAMPROB_NEXTHEADER;
941 			break;
942 		case ICMP_UNREACH_PORT:
943 			code = ICMP6_DST_UNREACH_NOPORT;
944 			break;
945 		case ICMP_UNREACH_NEEDFRAG:
946 			type = ICMP6_PACKET_TOO_BIG;
947 			code = 0;
948 			/* XXX: needs an additional look */
949 			mtu = max(IPV6_MMTU, ntohs(icmp->icmp_nextmtu) + 20);
950 			break;
951 		case ICMP_UNREACH_NET_PROHIB:
952 		case ICMP_UNREACH_HOST_PROHIB:
953 		case ICMP_UNREACH_FILTER_PROHIB:
954 		case ICMP_UNREACH_PRECEDENCE_CUTOFF:
955 			code = ICMP6_DST_UNREACH_ADMIN;
956 			break;
957 		default:
958 			DPRINTF(DP_DROPS, "Unsupported ICMP type %d, code %d",
959 			    icmp->icmp_type, icmp->icmp_code);
960 			goto freeit;
961 		}
962 		break;
963 	case ICMP_TIMXCEED:
964 		type = ICMP6_TIME_EXCEEDED;
965 		code = icmp->icmp_code;
966 		break;
967 	case ICMP_ECHO:
968 		type = ICMP6_ECHO_REQUEST;
969 		code = 0;
970 		break;
971 	case ICMP_PARAMPROB:
972 		type = ICMP6_PARAM_PROB;
973 		switch (icmp->icmp_code) {
974 		case ICMP_PARAMPROB_ERRATPTR:
975 		case ICMP_PARAMPROB_LENGTH:
976 			code = ICMP6_PARAMPROB_HEADER;
977 			switch (icmp->icmp_pptr) {
978 			case 0: /* Version/IHL */
979 			case 1: /* Type Of Service */
980 				mtu = icmp->icmp_pptr;
981 				break;
982 			case 2: /* Total Length */
983 			case 3: mtu = 4; /* Payload Length */
984 				break;
985 			case 8: /* Time to Live */
986 				mtu = 7; /* Hop Limit */
987 				break;
988 			case 9: /* Protocol */
989 				mtu = 6; /* Next Header */
990 				break;
991 			case 12: /* Source address */
992 			case 13:
993 			case 14:
994 			case 15:
995 				mtu = 8;
996 				break;
997 			case 16: /* Destination address */
998 			case 17:
999 			case 18:
1000 			case 19:
1001 				mtu = 24;
1002 				break;
1003 			default: /* Silently drop */
1004 				DPRINTF(DP_DROPS, "Unsupported ICMP type %d,"
1005 				    " code %d, pptr %d", icmp->icmp_type,
1006 				    icmp->icmp_code, icmp->icmp_pptr);
1007 				goto freeit;
1008 			}
1009 			break;
1010 		default:
1011 			DPRINTF(DP_DROPS, "Unsupported ICMP type %d,"
1012 			    " code %d, pptr %d", icmp->icmp_type,
1013 			    icmp->icmp_code, icmp->icmp_pptr);
1014 			goto freeit;
1015 		}
1016 		break;
1017 	default:
1018 		DPRINTF(DP_DROPS, "Unsupported ICMP type %d, code %d",
1019 		    icmp->icmp_type, icmp->icmp_code);
1020 		goto freeit;
1021 	}
1022 	/*
1023 	 * For echo request/reply we can use original payload,
1024 	 * but we need adjust icmp_cksum, because ICMPv6 cksum covers
1025 	 * IPv6 pseudo header and ICMPv6 types differs from ICMPv4.
1026 	 */
1027 	if (type == ICMP6_ECHO_REQUEST || type == ICMP6_ECHO_REPLY) {
1028 		nat64_icmp_handle_echo(ip6, ICMP6(icmp), icmpid, type);
1029 		return (m);
1030 	}
1031 	/*
1032 	 * For other types of ICMP messages we need to translate inner
1033 	 * IPv4 header to IPv6 header.
1034 	 * Assume ICMP src is the same as payload dst
1035 	 * E.g. we have ( GWsrc1 , NATIP1 ) in outer header
1036 	 * and          ( NATIP1, Hostdst1 ) in ICMP copy header.
1037 	 * In that case, we already have map for NATIP1 and GWsrc1.
1038 	 * The only thing we need is to copy IPv6 map prefix to
1039 	 * Hostdst1.
1040 	 */
1041 	hlen = offset + ICMP_MINLEN;
1042 	if (m->m_pkthdr.len < hlen + sizeof(struct ip) + ICMP_MINLEN) {
1043 		DPRINTF(DP_DROPS, "Message is too short %d",
1044 		    m->m_pkthdr.len);
1045 		goto freeit;
1046 	}
1047 	m_copydata(m, hlen, sizeof(struct ip), (char *)&ip);
1048 	if (ip.ip_v != IPVERSION) {
1049 		DPRINTF(DP_DROPS, "Wrong IP version %d", ip.ip_v);
1050 		goto freeit;
1051 	}
1052 	hlen += ip.ip_hl << 2; /* Skip inner IP header */
1053 	if (nat64_check_ip4(ip.ip_src.s_addr) != 0 ||
1054 	    nat64_check_ip4(ip.ip_dst.s_addr) != 0 ||
1055 	    nat64_check_private_ip4(cfg, ip.ip_src.s_addr) != 0 ||
1056 	    nat64_check_private_ip4(cfg, ip.ip_dst.s_addr) != 0) {
1057 		DPRINTF(DP_DROPS, "IP addresses checks failed %04x -> %04x",
1058 		    ntohl(ip.ip_src.s_addr), ntohl(ip.ip_dst.s_addr));
1059 		goto freeit;
1060 	}
1061 	if (m->m_pkthdr.len < hlen + ICMP_MINLEN) {
1062 		DPRINTF(DP_DROPS, "Message is too short %d",
1063 		    m->m_pkthdr.len);
1064 		goto freeit;
1065 	}
1066 #if 0
1067 	/*
1068 	 * Check that inner source matches the outer destination.
1069 	 * XXX: We need some method to convert IPv4 into IPv6 address here,
1070 	 *	and compare IPv6 addresses.
1071 	 */
1072 	if (ip.ip_src.s_addr != nat64_get_ip4(&ip6->ip6_dst)) {
1073 		DPRINTF(DP_GENERIC, "Inner source doesn't match destination ",
1074 		    "%04x vs %04x", ip.ip_src.s_addr,
1075 		    nat64_get_ip4(&ip6->ip6_dst));
1076 		goto freeit;
1077 	}
1078 #endif
1079 	/*
1080 	 * Create new mbuf for ICMPv6 datagram.
1081 	 * NOTE: len is data length just after inner IP header.
1082 	 */
1083 	len = m->m_pkthdr.len - hlen;
1084 	if (sizeof(struct ip6_hdr) +
1085 	    sizeof(struct icmp6_hdr) + len > NAT64_ICMP6_PLEN)
1086 		len = NAT64_ICMP6_PLEN - sizeof(struct icmp6_hdr) -
1087 		    sizeof(struct ip6_hdr);
1088 	plen = sizeof(struct icmp6_hdr) + sizeof(struct ip6_hdr) + len;
1089 	n = m_get2(offset + plen + max_hdr, M_NOWAIT, MT_HEADER, M_PKTHDR);
1090 	if (n == NULL) {
1091 		NAT64STAT_INC(&cfg->stats, nomem);
1092 		m_freem(m);
1093 		return (NULL);
1094 	}
1095 	m_move_pkthdr(n, m);
1096 	M_ALIGN(n, offset + plen + max_hdr);
1097 	n->m_len = n->m_pkthdr.len = offset + plen;
1098 	/* Adjust ip6_plen in outer header */
1099 	ip6->ip6_plen = htons(plen);
1100 	/* Construct new inner IPv6 header */
1101 	eip6 = mtodo(n, offset + sizeof(struct icmp6_hdr));
1102 	eip6->ip6_src = ip6->ip6_dst;
1103 
1104 	/* Use the same prefix that we have in outer header */
1105 	eip6->ip6_dst = ip6->ip6_src;
1106 	MPASS(cfg->flags & NAT64_PLATPFX);
1107 	nat64_embed_ip4(&eip6->ip6_dst, cfg->plat_plen, ip.ip_dst.s_addr);
1108 
1109 	eip6->ip6_flow = htonl(ip.ip_tos << 20);
1110 	eip6->ip6_vfc |= IPV6_VERSION;
1111 	eip6->ip6_hlim = ip.ip_ttl;
1112 	eip6->ip6_plen = htons(ntohs(ip.ip_len) - (ip.ip_hl << 2));
1113 	eip6->ip6_nxt = (ip.ip_p == IPPROTO_ICMP) ? IPPROTO_ICMPV6: ip.ip_p;
1114 	m_copydata(m, hlen, len, (char *)(eip6 + 1));
1115 	/*
1116 	 * We need to translate source port in the inner ULP header,
1117 	 * and adjust ULP checksum.
1118 	 */
1119 	switch (ip.ip_p) {
1120 	case IPPROTO_TCP:
1121 		if (len < offsetof(struct tcphdr, th_sum))
1122 			break;
1123 		tcp = TCP(eip6 + 1);
1124 		if (icmpid != 0) {
1125 			tcp->th_sum = cksum_adjust(tcp->th_sum,
1126 			    tcp->th_sport, icmpid);
1127 			tcp->th_sport = icmpid;
1128 		}
1129 		tcp->th_sum = cksum_add(tcp->th_sum,
1130 		    ~nat64_cksum_convert(eip6, &ip));
1131 		break;
1132 	case IPPROTO_UDP:
1133 		if (len < offsetof(struct udphdr, uh_sum))
1134 			break;
1135 		udp = UDP(eip6 + 1);
1136 		if (icmpid != 0) {
1137 			udp->uh_sum = cksum_adjust(udp->uh_sum,
1138 			    udp->uh_sport, icmpid);
1139 			udp->uh_sport = icmpid;
1140 		}
1141 		udp->uh_sum = cksum_add(udp->uh_sum,
1142 		    ~nat64_cksum_convert(eip6, &ip));
1143 		break;
1144 	case IPPROTO_ICMP:
1145 		/*
1146 		 * Check if this is an ICMP error message for echo request
1147 		 * that we sent. I.e. ULP in the data containing invoking
1148 		 * packet is IPPROTO_ICMP and its type is ICMP_ECHO.
1149 		 */
1150 		icmp = (struct icmp *)(eip6 + 1);
1151 		if (icmp->icmp_type != ICMP_ECHO) {
1152 			m_freem(n);
1153 			goto freeit;
1154 		}
1155 		/*
1156 		 * For our client this original datagram should looks
1157 		 * like it was ICMPv6 datagram with type ICMP6_ECHO_REQUEST.
1158 		 * Thus we need adjust icmp_cksum and convert type from
1159 		 * ICMP_ECHO to ICMP6_ECHO_REQUEST.
1160 		 */
1161 		nat64_icmp_handle_echo(eip6, ICMP6(icmp), icmpid,
1162 		    ICMP6_ECHO_REQUEST);
1163 	}
1164 	m_freem(m);
1165 	/* Convert ICMPv4 into ICMPv6 header */
1166 	icmp = mtodo(n, offset);
1167 	ICMP6(icmp)->icmp6_type = type;
1168 	ICMP6(icmp)->icmp6_code = code;
1169 	ICMP6(icmp)->icmp6_mtu = htonl(mtu);
1170 	ICMP6(icmp)->icmp6_cksum = 0;
1171 	ICMP6(icmp)->icmp6_cksum = cksum_add(
1172 	    ~in6_cksum_pseudo(ip6, plen, IPPROTO_ICMPV6, 0),
1173 	    in_cksum_skip(n, n->m_pkthdr.len, offset));
1174 	return (n);
1175 freeit:
1176 	m_freem(m);
1177 	NAT64STAT_INC(&cfg->stats, dropped);
1178 	return (NULL);
1179 }
1180 
1181 int
1182 nat64_getlasthdr(struct mbuf *m, int *offset)
1183 {
1184 	struct ip6_hdr *ip6;
1185 	struct ip6_hbh *hbh;
1186 	int proto, hlen;
1187 
1188 	if (offset != NULL)
1189 		hlen = *offset;
1190 	else
1191 		hlen = 0;
1192 
1193 	if (m->m_len < hlen + sizeof(*ip6))
1194 		return (-1);
1195 
1196 	ip6 = mtodo(m, hlen);
1197 	hlen += sizeof(*ip6);
1198 	proto = ip6->ip6_nxt;
1199 	/* Skip extension headers */
1200 	while (proto == IPPROTO_HOPOPTS || proto == IPPROTO_ROUTING ||
1201 	    proto == IPPROTO_DSTOPTS) {
1202 		hbh = mtodo(m, hlen);
1203 		/*
1204 		 * We expect mbuf has contigious data up to
1205 		 * upper level header.
1206 		 */
1207 		if (m->m_len < hlen)
1208 			return (-1);
1209 		/*
1210 		 * We doesn't support Jumbo payload option,
1211 		 * so return error.
1212 		 */
1213 		if (proto == IPPROTO_HOPOPTS && ip6->ip6_plen == 0)
1214 			return (-1);
1215 		proto = hbh->ip6h_nxt;
1216 		hlen += (hbh->ip6h_len + 1) << 3;
1217 	}
1218 	if (offset != NULL)
1219 		*offset = hlen;
1220 	return (proto);
1221 }
1222 
1223 int
1224 nat64_do_handle_ip4(struct mbuf *m, struct in6_addr *saddr,
1225     struct in6_addr *daddr, uint16_t lport, struct nat64_config *cfg,
1226     void *logdata)
1227 {
1228 	struct nhop_object *nh;
1229 	struct ip6_hdr ip6;
1230 	struct sockaddr_in6 dst;
1231 	struct ip *ip;
1232 	struct mbufq mq;
1233 	uint16_t ip_id, ip_off;
1234 	uint16_t *csum;
1235 	int plen, hlen;
1236 	uint8_t proto;
1237 
1238 	ip = mtod(m, struct ip*);
1239 
1240 	if (*V_nat64ipstealth == 0 && ip->ip_ttl <= IPTTLDEC) {
1241 		nat64_icmp_reflect(m, ICMP_TIMXCEED,
1242 		    ICMP_TIMXCEED_INTRANS, 0, &cfg->stats, logdata);
1243 		return (NAT64RETURN);
1244 	}
1245 
1246 	ip6.ip6_dst = *daddr;
1247 	ip6.ip6_src = *saddr;
1248 
1249 	hlen = ip->ip_hl << 2;
1250 	plen = ntohs(ip->ip_len) - hlen;
1251 	proto = ip->ip_p;
1252 
1253 	/* Save ip_id and ip_off, both are in network byte order */
1254 	ip_id = ip->ip_id;
1255 	ip_off = ip->ip_off & htons(IP_OFFMASK | IP_MF);
1256 
1257 	/* Fragment length must be multiple of 8 octets */
1258 	if ((ip->ip_off & htons(IP_MF)) != 0 && (plen & 0x7) != 0) {
1259 		nat64_icmp_reflect(m, ICMP_PARAMPROB,
1260 		    ICMP_PARAMPROB_LENGTH, 0, &cfg->stats, logdata);
1261 		return (NAT64RETURN);
1262 	}
1263 	/* Fragmented ICMP is unsupported */
1264 	if (proto == IPPROTO_ICMP && ip_off != 0) {
1265 		DPRINTF(DP_DROPS, "dropped due to fragmented ICMP");
1266 		NAT64STAT_INC(&cfg->stats, dropped);
1267 		return (NAT64MFREE);
1268 	}
1269 
1270 	dst.sin6_addr = ip6.ip6_dst;
1271 	nh = nat64_find_route6(&dst, m);
1272 	if (nh == NULL) {
1273 		NAT64STAT_INC(&cfg->stats, noroute6);
1274 		nat64_icmp_reflect(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0,
1275 		    &cfg->stats, logdata);
1276 		return (NAT64RETURN);
1277 	}
1278 	if (nh->nh_mtu < plen + sizeof(ip6) &&
1279 	    (ip->ip_off & htons(IP_DF)) != 0) {
1280 		nat64_icmp_reflect(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
1281 		    FRAGSZ(nh->nh_mtu) + sizeof(struct ip), &cfg->stats, logdata);
1282 		return (NAT64RETURN);
1283 	}
1284 
1285 	ip6.ip6_flow = htonl(ip->ip_tos << 20);
1286 	ip6.ip6_vfc |= IPV6_VERSION;
1287 	ip6.ip6_hlim = ip->ip_ttl;
1288 	if (*V_nat64ipstealth == 0)
1289 		ip6.ip6_hlim -= IPTTLDEC;
1290 	ip6.ip6_plen = htons(plen);
1291 	ip6.ip6_nxt = (proto == IPPROTO_ICMP) ? IPPROTO_ICMPV6: proto;
1292 
1293 	/* Handle delayed checksums if needed. */
1294 	if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
1295 		m = mb_unmapped_to_ext(m);
1296 		if (m == NULL) {
1297 			NAT64STAT_INC(&cfg->stats, nomem);
1298 			return (NAT64RETURN);
1299 		}
1300 		in_delayed_cksum(m);
1301 		m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
1302 	}
1303 	/* Convert checksums. */
1304 	switch (proto) {
1305 	case IPPROTO_TCP:
1306 		csum = &TCP(mtodo(m, hlen))->th_sum;
1307 		if (lport != 0) {
1308 			struct tcphdr *tcp = TCP(mtodo(m, hlen));
1309 			*csum = cksum_adjust(*csum, tcp->th_dport, lport);
1310 			tcp->th_dport = lport;
1311 		}
1312 		*csum = cksum_add(*csum, ~nat64_cksum_convert(&ip6, ip));
1313 		break;
1314 	case IPPROTO_UDP:
1315 		csum = &UDP(mtodo(m, hlen))->uh_sum;
1316 		if (lport != 0) {
1317 			struct udphdr *udp = UDP(mtodo(m, hlen));
1318 			*csum = cksum_adjust(*csum, udp->uh_dport, lport);
1319 			udp->uh_dport = lport;
1320 		}
1321 		*csum = cksum_add(*csum, ~nat64_cksum_convert(&ip6, ip));
1322 		break;
1323 	case IPPROTO_ICMP:
1324 		m = nat64_icmp_translate(m, &ip6, lport, hlen, cfg);
1325 		if (m == NULL)	/* stats already accounted */
1326 			return (NAT64RETURN);
1327 	}
1328 
1329 	m_adj(m, hlen);
1330 	mbufq_init(&mq, 255);
1331 	nat64_fragment6(&cfg->stats, &ip6, &mq, m, nh->nh_mtu, ip_id, ip_off);
1332 	while ((m = mbufq_dequeue(&mq)) != NULL) {
1333 		if (V_nat64out->output(nh->nh_ifp, m, (struct sockaddr *)&dst,
1334 		    &cfg->stats, logdata) != 0)
1335 			break;
1336 		NAT64STAT_INC(&cfg->stats, opcnt46);
1337 	}
1338 	mbufq_drain(&mq);
1339 	return (NAT64RETURN);
1340 }
1341 
1342 int
1343 nat64_handle_icmp6(struct mbuf *m, int hlen, uint32_t aaddr, uint16_t aport,
1344     struct nat64_config *cfg, void *logdata)
1345 {
1346 	struct ip ip;
1347 	struct icmp6_hdr *icmp6;
1348 	struct ip6_frag *ip6f;
1349 	struct ip6_hdr *ip6, *ip6i;
1350 	uint32_t mtu;
1351 	int plen, proto;
1352 	uint8_t type, code;
1353 
1354 	if (hlen == 0) {
1355 		ip6 = mtod(m, struct ip6_hdr *);
1356 		if (nat64_check_ip6(&ip6->ip6_src) != 0 ||
1357 		    nat64_check_ip6(&ip6->ip6_dst) != 0)
1358 			return (NAT64SKIP);
1359 
1360 		proto = nat64_getlasthdr(m, &hlen);
1361 		if (proto != IPPROTO_ICMPV6) {
1362 			DPRINTF(DP_DROPS,
1363 			    "dropped due to mbuf isn't contigious");
1364 			NAT64STAT_INC(&cfg->stats, dropped);
1365 			return (NAT64MFREE);
1366 		}
1367 	}
1368 
1369 	/*
1370 	 * Translate ICMPv6 type and code to ICMPv4 (RFC7915).
1371 	 * NOTE: ICMPv6 echo handled by nat64_do_handle_ip6().
1372 	 */
1373 	icmp6 = mtodo(m, hlen);
1374 	mtu = 0;
1375 	switch (icmp6->icmp6_type) {
1376 	case ICMP6_DST_UNREACH:
1377 		type = ICMP_UNREACH;
1378 		switch (icmp6->icmp6_code) {
1379 		case ICMP6_DST_UNREACH_NOROUTE:
1380 		case ICMP6_DST_UNREACH_BEYONDSCOPE:
1381 		case ICMP6_DST_UNREACH_ADDR:
1382 			code = ICMP_UNREACH_HOST;
1383 			break;
1384 		case ICMP6_DST_UNREACH_ADMIN:
1385 			code = ICMP_UNREACH_HOST_PROHIB;
1386 			break;
1387 		case ICMP6_DST_UNREACH_NOPORT:
1388 			code = ICMP_UNREACH_PORT;
1389 			break;
1390 		default:
1391 			DPRINTF(DP_DROPS, "Unsupported ICMPv6 type %d,"
1392 			    " code %d", icmp6->icmp6_type,
1393 			    icmp6->icmp6_code);
1394 			NAT64STAT_INC(&cfg->stats, dropped);
1395 			return (NAT64MFREE);
1396 		}
1397 		break;
1398 	case ICMP6_PACKET_TOO_BIG:
1399 		type = ICMP_UNREACH;
1400 		code = ICMP_UNREACH_NEEDFRAG;
1401 		mtu = ntohl(icmp6->icmp6_mtu);
1402 		if (mtu < IPV6_MMTU) {
1403 			DPRINTF(DP_DROPS, "Wrong MTU %d in ICMPv6 type %d,"
1404 			    " code %d", mtu, icmp6->icmp6_type,
1405 			    icmp6->icmp6_code);
1406 			NAT64STAT_INC(&cfg->stats, dropped);
1407 			return (NAT64MFREE);
1408 		}
1409 		/*
1410 		 * Adjust MTU to reflect difference between
1411 		 * IPv6 an IPv4 headers.
1412 		 */
1413 		mtu -= sizeof(struct ip6_hdr) - sizeof(struct ip);
1414 		break;
1415 	case ICMP6_TIME_EXCEEDED:
1416 		type = ICMP_TIMXCEED;
1417 		code = icmp6->icmp6_code;
1418 		break;
1419 	case ICMP6_PARAM_PROB:
1420 		switch (icmp6->icmp6_code) {
1421 		case ICMP6_PARAMPROB_HEADER:
1422 			type = ICMP_PARAMPROB;
1423 			code = ICMP_PARAMPROB_ERRATPTR;
1424 			mtu = ntohl(icmp6->icmp6_pptr);
1425 			switch (mtu) {
1426 			case 0: /* Version/Traffic Class */
1427 			case 1: /* Traffic Class/Flow Label */
1428 				break;
1429 			case 4: /* Payload Length */
1430 			case 5:
1431 				mtu = 2;
1432 				break;
1433 			case 6: /* Next Header */
1434 				mtu = 9;
1435 				break;
1436 			case 7: /* Hop Limit */
1437 				mtu = 8;
1438 				break;
1439 			default:
1440 				if (mtu >= 8 && mtu <= 23) {
1441 					mtu = 12; /* Source address */
1442 					break;
1443 				}
1444 				if (mtu >= 24 && mtu <= 39) {
1445 					mtu = 16; /* Destination address */
1446 					break;
1447 				}
1448 				DPRINTF(DP_DROPS, "Unsupported ICMPv6 type %d,"
1449 				    " code %d, pptr %d", icmp6->icmp6_type,
1450 				    icmp6->icmp6_code, mtu);
1451 				NAT64STAT_INC(&cfg->stats, dropped);
1452 				return (NAT64MFREE);
1453 			}
1454 		case ICMP6_PARAMPROB_NEXTHEADER:
1455 			type = ICMP_UNREACH;
1456 			code = ICMP_UNREACH_PROTOCOL;
1457 			break;
1458 		default:
1459 			DPRINTF(DP_DROPS, "Unsupported ICMPv6 type %d,"
1460 			    " code %d, pptr %d", icmp6->icmp6_type,
1461 			    icmp6->icmp6_code, ntohl(icmp6->icmp6_pptr));
1462 			NAT64STAT_INC(&cfg->stats, dropped);
1463 			return (NAT64MFREE);
1464 		}
1465 		break;
1466 	default:
1467 		DPRINTF(DP_DROPS, "Unsupported ICMPv6 type %d, code %d",
1468 		    icmp6->icmp6_type, icmp6->icmp6_code);
1469 		NAT64STAT_INC(&cfg->stats, dropped);
1470 		return (NAT64MFREE);
1471 	}
1472 
1473 	hlen += sizeof(struct icmp6_hdr);
1474 	if (m->m_pkthdr.len < hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN) {
1475 		NAT64STAT_INC(&cfg->stats, dropped);
1476 		DPRINTF(DP_DROPS, "Message is too short %d",
1477 		    m->m_pkthdr.len);
1478 		return (NAT64MFREE);
1479 	}
1480 	/*
1481 	 * We need at least ICMP_MINLEN bytes of original datagram payload
1482 	 * to generate ICMP message. It is nice that ICMP_MINLEN is equal
1483 	 * to sizeof(struct ip6_frag). So, if embedded datagram had a fragment
1484 	 * header we will not have to do m_pullup() again.
1485 	 *
1486 	 * What we have here:
1487 	 * Outer header: (IPv6iGW, v4mapPRefix+v4exthost)
1488 	 * Inner header: (v4mapPRefix+v4host, IPv6iHost) [sport, dport]
1489 	 * We need to translate it to:
1490 	 *
1491 	 * Outer header: (alias_host, v4exthost)
1492 	 * Inner header: (v4exthost, alias_host) [sport, alias_port]
1493 	 *
1494 	 * Assume caller function has checked if v4mapPRefix+v4host
1495 	 * matches configured prefix.
1496 	 * The only two things we should be provided with are mapping between
1497 	 * IPv6iHost <> alias_host and between dport and alias_port.
1498 	 */
1499 	if (m->m_len < hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN)
1500 		m = m_pullup(m, hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN);
1501 	if (m == NULL) {
1502 		NAT64STAT_INC(&cfg->stats, nomem);
1503 		return (NAT64RETURN);
1504 	}
1505 	ip6 = mtod(m, struct ip6_hdr *);
1506 	ip6i = mtodo(m, hlen);
1507 	ip6f = NULL;
1508 	proto = ip6i->ip6_nxt;
1509 	plen = ntohs(ip6i->ip6_plen);
1510 	hlen += sizeof(struct ip6_hdr);
1511 	if (proto == IPPROTO_FRAGMENT) {
1512 		if (m->m_pkthdr.len < hlen + sizeof(struct ip6_frag) +
1513 		    ICMP_MINLEN)
1514 			goto fail;
1515 		ip6f = mtodo(m, hlen);
1516 		proto = ip6f->ip6f_nxt;
1517 		plen -= sizeof(struct ip6_frag);
1518 		hlen += sizeof(struct ip6_frag);
1519 		/* Ajust MTU to reflect frag header size */
1520 		if (type == ICMP_UNREACH && code == ICMP_UNREACH_NEEDFRAG)
1521 			mtu -= sizeof(struct ip6_frag);
1522 	}
1523 	if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) {
1524 		DPRINTF(DP_DROPS, "Unsupported proto %d in the inner header",
1525 		    proto);
1526 		goto fail;
1527 	}
1528 	if (nat64_check_ip6(&ip6i->ip6_src) != 0 ||
1529 	    nat64_check_ip6(&ip6i->ip6_dst) != 0) {
1530 		DPRINTF(DP_DROPS, "Inner addresses do not passes the check");
1531 		goto fail;
1532 	}
1533 	/* Check if outer dst is the same as inner src */
1534 	if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &ip6i->ip6_src)) {
1535 		DPRINTF(DP_DROPS, "Inner src doesn't match outer dst");
1536 		goto fail;
1537 	}
1538 
1539 	/* Now we need to make a fake IPv4 packet to generate ICMP message */
1540 	ip.ip_dst.s_addr = aaddr;
1541 	ip.ip_src.s_addr = nat64_extract_ip4(&ip6i->ip6_src, cfg->plat_plen);
1542 	if (ip.ip_src.s_addr == 0)
1543 		goto fail;
1544 	/* XXX: Make fake ulp header */
1545 	if (V_nat64out == &nat64_direct) /* init_ip4hdr will decrement it */
1546 		ip6i->ip6_hlim += IPV6_HLIMDEC;
1547 	nat64_init_ip4hdr(ip6i, ip6f, plen, proto, &ip);
1548 	m_adj(m, hlen - sizeof(struct ip));
1549 	bcopy(&ip, mtod(m, void *), sizeof(ip));
1550 	nat64_icmp_reflect(m, type, code, (uint16_t)mtu, &cfg->stats,
1551 	    logdata);
1552 	return (NAT64RETURN);
1553 fail:
1554 	/*
1555 	 * We must call m_freem() because mbuf pointer could be
1556 	 * changed with m_pullup().
1557 	 */
1558 	m_freem(m);
1559 	NAT64STAT_INC(&cfg->stats, dropped);
1560 	return (NAT64RETURN);
1561 }
1562 
1563 int
1564 nat64_do_handle_ip6(struct mbuf *m, uint32_t aaddr, uint16_t aport,
1565     struct nat64_config *cfg, void *logdata)
1566 {
1567 	struct ip ip;
1568 	struct nhop_object *nh;
1569 	struct sockaddr_in dst;
1570 	struct ip6_frag *frag;
1571 	struct ip6_hdr *ip6;
1572 	struct icmp6_hdr *icmp6;
1573 	uint16_t *csum;
1574 	int plen, hlen, proto;
1575 
1576 	/*
1577 	 * XXX: we expect ipfw_chk() did m_pullup() up to upper level
1578 	 * protocol's headers. Also we skip some checks, that ip6_input(),
1579 	 * ip6_forward(), ip6_fastfwd() and ipfw_chk() already did.
1580 	 */
1581 	ip6 = mtod(m, struct ip6_hdr *);
1582 	if (nat64_check_ip6(&ip6->ip6_src) != 0 ||
1583 	    nat64_check_ip6(&ip6->ip6_dst) != 0) {
1584 		return (NAT64SKIP);
1585 	}
1586 
1587 	/* Starting from this point we must not return zero */
1588 	ip.ip_src.s_addr = aaddr;
1589 	if (nat64_check_ip4(ip.ip_src.s_addr) != 0) {
1590 		DPRINTF(DP_GENERIC | DP_DROPS, "invalid source address: %08x",
1591 		    ip.ip_src.s_addr);
1592 		NAT64STAT_INC(&cfg->stats, dropped);
1593 		return (NAT64MFREE);
1594 	}
1595 
1596 	ip.ip_dst.s_addr = nat64_extract_ip4(&ip6->ip6_dst, cfg->plat_plen);
1597 	if (ip.ip_dst.s_addr == 0) {
1598 		NAT64STAT_INC(&cfg->stats, dropped);
1599 		return (NAT64MFREE);
1600 	}
1601 
1602 	if (*V_nat64ip6stealth == 0 && ip6->ip6_hlim <= IPV6_HLIMDEC) {
1603 		nat64_icmp6_reflect(m, ICMP6_TIME_EXCEEDED,
1604 		    ICMP6_TIME_EXCEED_TRANSIT, 0, &cfg->stats, logdata);
1605 		return (NAT64RETURN);
1606 	}
1607 
1608 	hlen = 0;
1609 	plen = ntohs(ip6->ip6_plen);
1610 	proto = nat64_getlasthdr(m, &hlen);
1611 	if (proto < 0) {
1612 		DPRINTF(DP_DROPS, "dropped due to mbuf isn't contigious");
1613 		NAT64STAT_INC(&cfg->stats, dropped);
1614 		return (NAT64MFREE);
1615 	}
1616 	frag = NULL;
1617 	if (proto == IPPROTO_FRAGMENT) {
1618 		/* ipfw_chk should m_pullup up to frag header */
1619 		if (m->m_len < hlen + sizeof(*frag)) {
1620 			DPRINTF(DP_DROPS,
1621 			    "dropped due to mbuf isn't contigious");
1622 			NAT64STAT_INC(&cfg->stats, dropped);
1623 			return (NAT64MFREE);
1624 		}
1625 		frag = mtodo(m, hlen);
1626 		proto = frag->ip6f_nxt;
1627 		hlen += sizeof(*frag);
1628 		/* Fragmented ICMPv6 is unsupported */
1629 		if (proto == IPPROTO_ICMPV6) {
1630 			DPRINTF(DP_DROPS, "dropped due to fragmented ICMPv6");
1631 			NAT64STAT_INC(&cfg->stats, dropped);
1632 			return (NAT64MFREE);
1633 		}
1634 		/* Fragment length must be multiple of 8 octets */
1635 		if ((frag->ip6f_offlg & IP6F_MORE_FRAG) != 0 &&
1636 		    ((plen + sizeof(struct ip6_hdr) - hlen) & 0x7) != 0) {
1637 			nat64_icmp6_reflect(m, ICMP6_PARAM_PROB,
1638 			    ICMP6_PARAMPROB_HEADER,
1639 			    offsetof(struct ip6_hdr, ip6_plen), &cfg->stats,
1640 			    logdata);
1641 			return (NAT64RETURN);
1642 		}
1643 	}
1644 	plen -= hlen - sizeof(struct ip6_hdr);
1645 	if (plen < 0 || m->m_pkthdr.len < plen + hlen) {
1646 		DPRINTF(DP_DROPS, "plen %d, pkthdr.len %d, hlen %d",
1647 		    plen, m->m_pkthdr.len, hlen);
1648 		NAT64STAT_INC(&cfg->stats, dropped);
1649 		return (NAT64MFREE);
1650 	}
1651 
1652 	icmp6 = NULL;	/* Make gcc happy */
1653 	if (proto == IPPROTO_ICMPV6) {
1654 		icmp6 = mtodo(m, hlen);
1655 		if (icmp6->icmp6_type != ICMP6_ECHO_REQUEST &&
1656 		    icmp6->icmp6_type != ICMP6_ECHO_REPLY)
1657 			return (nat64_handle_icmp6(m, hlen, aaddr, aport,
1658 			    cfg, logdata));
1659 	}
1660 	dst.sin_addr.s_addr = ip.ip_dst.s_addr;
1661 	nh = nat64_find_route4(&dst, m);
1662 	if (nh == NULL) {
1663 		NAT64STAT_INC(&cfg->stats, noroute4);
1664 		nat64_icmp6_reflect(m, ICMP6_DST_UNREACH,
1665 		    ICMP6_DST_UNREACH_NOROUTE, 0, &cfg->stats, logdata);
1666 		return (NAT64RETURN);
1667 	}
1668 	if (nh->nh_mtu < plen + sizeof(ip)) {
1669 		nat64_icmp6_reflect(m, ICMP6_PACKET_TOO_BIG, 0, nh->nh_mtu,
1670 		    &cfg->stats, logdata);
1671 		return (NAT64RETURN);
1672 	}
1673 	nat64_init_ip4hdr(ip6, frag, plen, proto, &ip);
1674 
1675 	/* Handle delayed checksums if needed. */
1676 	if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
1677 		m = mb_unmapped_to_ext(m);
1678 		if (m == NULL) {
1679 			NAT64STAT_INC(&cfg->stats, nomem);
1680 			return (NAT64RETURN);
1681 		}
1682 		in6_delayed_cksum(m, plen, hlen);
1683 		m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
1684 	}
1685 	/* Convert checksums. */
1686 	switch (proto) {
1687 	case IPPROTO_TCP:
1688 		csum = &TCP(mtodo(m, hlen))->th_sum;
1689 		if (aport != 0) {
1690 			struct tcphdr *tcp = TCP(mtodo(m, hlen));
1691 			*csum = cksum_adjust(*csum, tcp->th_sport, aport);
1692 			tcp->th_sport = aport;
1693 		}
1694 		*csum = cksum_add(*csum, nat64_cksum_convert(ip6, &ip));
1695 		break;
1696 	case IPPROTO_UDP:
1697 		csum = &UDP(mtodo(m, hlen))->uh_sum;
1698 		if (aport != 0) {
1699 			struct udphdr *udp = UDP(mtodo(m, hlen));
1700 			*csum = cksum_adjust(*csum, udp->uh_sport, aport);
1701 			udp->uh_sport = aport;
1702 		}
1703 		*csum = cksum_add(*csum, nat64_cksum_convert(ip6, &ip));
1704 		break;
1705 	case IPPROTO_ICMPV6:
1706 		/* Checksum in ICMPv6 covers pseudo header */
1707 		csum = &icmp6->icmp6_cksum;
1708 		*csum = cksum_add(*csum, in6_cksum_pseudo(ip6, plen,
1709 		    IPPROTO_ICMPV6, 0));
1710 		/* Convert ICMPv6 types to ICMP */
1711 		proto = *(uint16_t *)icmp6; /* save old word for cksum_adjust */
1712 		if (icmp6->icmp6_type == ICMP6_ECHO_REQUEST)
1713 			icmp6->icmp6_type = ICMP_ECHO;
1714 		else /* ICMP6_ECHO_REPLY */
1715 			icmp6->icmp6_type = ICMP_ECHOREPLY;
1716 		*csum = cksum_adjust(*csum, (uint16_t)proto,
1717 		    *(uint16_t *)icmp6);
1718 		if (aport != 0) {
1719 			uint16_t old_id = icmp6->icmp6_id;
1720 			icmp6->icmp6_id = aport;
1721 			*csum = cksum_adjust(*csum, old_id, aport);
1722 		}
1723 		break;
1724 	};
1725 
1726 	m_adj(m, hlen - sizeof(ip));
1727 	bcopy(&ip, mtod(m, void *), sizeof(ip));
1728 	if (V_nat64out->output(nh->nh_ifp, m, (struct sockaddr *)&dst,
1729 	    &cfg->stats, logdata) == 0)
1730 		NAT64STAT_INC(&cfg->stats, opcnt64);
1731 	return (NAT64RETURN);
1732 }
1733